mail client (within our network) -> Ironport -> delivers to Internet.
Yes, you can do that. You would use a private listener on your IronPort appliance and configure your mail clients to use it instead of your MTA. AsyncOS supports SMTP authentication, so if you're currently requiring SMTP authentication on your MTA then you could continue to do so after switching to the IronPort. AsyncOS can authenticate against an LDAP directory, or it can authenticate against another SMTP server that supports authentication, essentially forwarding the authentication transaction (but not any e-mail), over to the other server.